Halting Problems

An automated threat intelligence aggregator providing a central hub for supply chain attacks and actively exploited vulnerabilities.

SIEM Ingestion Feed docs
Analyses
86
Machine-readable
JSON feed
Hunting
Scripts tracked
86 analyses shown
critical26 signals

pnpm Package-Manager Supply-Chain Advisory Batch

pnpm disclosed a cluster of package-manager vulnerabilities affecting lockfile integrity, Git dependency fetching, repository registry configuration, patch application, and symlink creation; responders should inventory vulnerable pnpm versions and review credential-bearing install paths.

Signals
26
Last updated
2026-06-27
Hunting
Has script
#supply-chainnpm
critical11 signals

@cyclonedx/cdxgen Maven Scanner Command Injection

CycloneDX cdxgen before 12.4.3 could execute shell metacharacters from repository-controlled Maven module paths when scanning attacker-controlled projects, putting developer workstations and CI SBOM runners at risk.

Signals
11
Last updated
2026-06-26
Hunting
Has script
#supply-chainnpm
critical53 signals

Immobiliare Labs Backstage npm Packages Hit by Phantom Gyp

On June 26, 2026, multiple @immobiliarelabs Backstage plugin versions were published to npm with a binding.gyp node-gyp hook and a new 5 MB index.js payload. Treat affected Backstage builds and developer or CI installs as credential exposure until lockfiles, package caches, and downstream audits are clean.

Signals
53
Last updated
2026-06-26
Hunting
Has script
#supply-chainnpm
critical44 signals

Leo Platform npm Miasma / Phantom Gyp Compromise

StepSecurity disclosed a June 24, 2026 Leo Platform npm supply-chain compromise affecting 20 packages published in a three-second burst. Socket and Sonatype then tied three more malicious npm packages to the same Miasma / Mini Shai-Hulud Phantom Gyp tradecraft, extending the incident into a 23-package campaign update.

Signals
44
Last updated
2026-06-25
Hunting
Has script
#supply-chainnpm
critical22 signals

simonecorsi/mawesome GitHub Action Tag Hijack

Mutable refs for simonecorsi/mawesome including latest, v1, v2, and v2.2.0 currently resolve to a composite action that installs Bun and always runs an obfuscated JavaScript payload, exposing GitHub Actions runners that still trust those tags.

Signals
22
Last updated
2026-06-25
Hunting
Has script
#supply-chaingithub actions
critical24 signals

codfish/semantic-release-action GitHub Action Tag Hijack

An attacker force-pushed a malicious composite action into codfish/semantic-release-action and moved fifteen published tags to that commit, exposing GitHub Actions runners that still trusted mutable refs such as v3, v4, and v5.

Signals
24
Last updated
2026-06-24
Hunting
Has script
#supply-chaingithub actions
critical13 signals

15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers

StepSecurity and JetBrains say 15 malicious JetBrains Marketplace plugins stole AI provider API keys from developers, then a remote kill-switch and marketplace purge removed the listings and banned the publisher accounts.

Signals
13
Last updated
2026-06-19
Hunting
Has script
#supply-chainjetbrains-marketplace
medium20 signals

buffer-utilities: Lazarus Group npm Brandjacking Dropper

Sonatype and JFrog describe buffer-utilities as a malicious npm brandjacking package in a Lazarus Group campaign; the package acts as a dropper that fetches and launches remote payloads.

Signals
20
Last updated
2026-06-18
Hunting
Has script
#supply-chainnpm
medium19 signals

Mastra npm Supply Chain Attack

On 2026-06-17, public reporting described an @mastra package-scope compromise that pushed easy-day-js as a malicious dependency across 140+ packages, executed a setup.cjs postinstall dropper, and exposed more than 1.1 million weekly downloads to second-stage credential theft and remote code execution behavior.

Signals
19
Last updated
2026-06-17
Hunting
Has script
#supply-chainnpm
medium6 signals

Pythagora gpt-pilot GitHub Compromise

An attacker hijacked a Pythagora co-founder's GitHub account, force-pushed a Shai-Hulud credential-stealer to gpt-pilot's main branch, and lost the payload twice to ruff lint failures before any public downstream execution was shown.

Signals
6
Last updated
2026-06-17
Hunting
Has script
#supply-chainGitHub
medium0 signals

Cisco Catalyst SD-WAN Manager CVE-2026-20262: KEV Path Traversal in the Management Plane

CISA added Cisco Catalyst SD-WAN Manager CVE-2026-20262 to KEV on 2026-06-15 with a 2026-06-29 due date. Cisco says authenticated attackers with at least write access can abuse a web-UI file-upload path traversal to create or overwrite files on affected systems across all SD-WAN deployment types.

Signals
0
Last updated
2026-06-15
Hunting
Has script
#supply-chain
medium0 signals

LiteSpeed cPanel Plugin CVE-2026-54420: KEV Symlink-Following Exposure in Shared Hosting

CISA added LiteSpeed cPanel Plugin CVE-2026-54420 to KEV on 2026-06-15 with a 2026-06-18 due date. LiteSpeed says v2.4.8, bundled with WHM Plugin v5.3.2.1, fixes a symlink-following flaw that can let a user with FTP or web shell access escalate to root on shared hosting servers running CloudLinux/CageFS.

Signals
0
Last updated
2026-06-15
Hunting
Has script
#supply-chain
medium7 signals

OptinMonster Supply Chain Attack

Awesome Motive's CDN-hosted SDK files for WordPress plugins OptinMonster, TrustPulse, and PushEngage were tampered to inject malicious JavaScript. When an administrator logs in, the payload runs in their context, creates rogue administrator accounts, and silently installs a self-hiding PHP backdoor plugin, exfiltrating credentials to tidio[.]cc.

Signals
7
Last updated
2026-06-12
Hunting
Has script
#supply-chain
medium4 signals

Oracle PeopleSoft CVE-2026-35273: KEV SSRF-to-RCE Zero-Day Exploitation

CISA added actively exploited Oracle PeopleSoft PeopleTools CVE-2026-35273 to KEV on 2026-06-12. Affects PSEMHUB in versions 8.61 and 8.62, allowing unauthenticated remote code execution exploited by ShinyHunters.

Signals
4
Last updated
2026-06-12
Hunting
Has script
#supply-chain
medium0 signals

Ivanti Sentry CVE-2026-10520: KEV Pre-Auth OS Command Injection

CISA and Ivanti confirmed active exploitation of CVE-2026-10520, a critical pre-authentication OS command injection vulnerability in Ivanti Sentry. Attackers can execute arbitrary commands with root privileges by sending a crafted HTTP POST request to Sentry MICS APIs.

Signals
0
Last updated
2026-06-11
Hunting
Has script
#supply-chain
medium2 signals

Arista EOS CVE-2026-7473: KEV Tunneled Packet Decapsulation Bypass

CISA added actively exploited Arista EOS CVE-2026-7473 to KEV on 2026-06-09. Affected tunnel endpoints may decapsulate unexpected protocols sent to a configured decapsulation IP; Arista rates the issue Medium and provides configuration checks and ACL mitigations.

Signals
2
Last updated
2026-06-09
Hunting
Has script
#supply-chain
medium14 signals

Check Point Security Gateway CVE-2026-50751: KEV VPN Authentication Bypass

Check Point and CISA confirmed active exploitation of CVE-2026-50751, an IKEv1 Remote Access and Mobile Access authentication bypass. Check Point observed targeting from May 7, 2026, added campaign IOCs through June 10, and linked one post-compromise case to a Qilin ransomware affiliate.

Signals
14
Last updated
2026-06-08
Hunting
Has script
#supply-chain
medium79 signals

Hades PyPI Graph ML Memory Scraper Campaign

StepSecurity reported the Hades campaign across graph ML and bioinformatics PyPI packages, using Python import hooks to download Bun v1.3.14, run _index.js, scrape secrets across Linux/macOS/Windows runners, plant developer-tooling persistence, and create GitHub exfiltration repositories.

Signals
79
Last updated
2026-06-08
Hunting
Has script
#supply-chainunknown